On Tue, Dec 16, 2008 at 3:02 PM, Boris Goldberg <[email protected]> wrote: > Hello Danial, > > Sunday, December 14, 2008, 6:06:12 PM, you wrote: > > D> The remote tunnel endpoint expects traffic originating from > D> a specific ip address - the internal ip of the firewall. > >>> I have a tunnel successfully set up between my OpenBSD 3.8 >>> and a Cisco 7200 router. >>> ... >>> There are ACLs on the $remote_gw which only allow traffic >>> NATed with my $int_if ip. Hence this nat in pf.conf: >>> nat on enc0 inet from $int_net to $remote_host -> $int_if >>> ... >>> What I CAN do is ping the $remote_host through the tunnel >>> from the $int_if with the following command: >>> # ping -I $int_if $remote_host >>> >>> This works and replies are received! >>> >>> >>> But if if try pinging from the $internal_host: >>> c:\> ping $remote_host >>> >>> This doesn't work. The packets are not sent through the >>> tunnel but to the internet. > > I have a working tunnel like yours. May be there is a way to do it > "right", but I haven't found one. But here is a workaround:
A workaround is just fine by me :) > Your tunnel is probably host-to-host - don't change it, but add an > additional network-to-host one. That "dummy" tunnel wont actually transfer > anything, but will route packets from your internal network to enc0, than > your nat rule will change it and everything should work. I'm not quite sure how you've done this. Could you be more specific? Do you mean to add an additional Connection in isakmpd.conf and refer to the same Peer but a different network (Local-ID)? Thanks for your reply, Danial
